Trojan Found in Google Play Signs Users up for Premium Subscriptions

Joker, a new Trojan has been found in the Android Google Play hiding behind the advertisement framework of the compromised apps, has been found to be active since early June. It signs users up for premium subscriptions and steals personal data. A total of 24 Play Store apps, including ones with over 100,000 downloads, have been found to be infected with this malware.

Many of the Joker-infected apps primarily target European and Asian countries. It has also been discovered that most of these apps have an additional check to ensure that the payload doesn’t execute when running in the US or Canada.

CSIS Security Group announced,“The full list of 37 targeted countries includes: Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom and United States.” They have also released the list of indicators of compromise.

The compromised apps contain a set of Mobile Country Codes. The country code of the potential victim’s SIM card is compared with this list. If it matches, Joker goes ahead and downloads the second-stage malicious component.